BitB: new phishing technique to recover your password

A researcher has come up with a technique that creates hijacked login forms that become very difficult to detect.

Phishing or phishing in French is almost a pirate technique as old as the world, on the scale of cybersecurity. It is not surprising to see it evolve in this way. Except that we can worry about this evolution, with the appearance of a relatively new technique, which is likely to trap a large number of users, even the most informed.

An undetectable phishing technique…

It’s more and more common, you know, this famous connection page which appears on your browser trying to make you believe that you are going to, for example, Facebook, Outlook or Google (or all the sites which use the protocol OAuth) and via which you must enter your credentials. Often, we can, by elimination, guess which page is legitimate and which page is not. Pirates are particularly betrayed by the URL, which is not secure or of the facebOOk .com or g00gle .fr type. The slightly attentive user, without being specially informed, can unearth the deception.

Except that a cybersecurity researcher and developer, who goes by the handle mrd0x, realized that these famous phishing login forms could, using fake Chrome browser windows, now be more credible than ever.

The latter has indeed developed a BitB, an attack “ Browser in the Browser i.e. browser within browser, a kind of computer abyss that comes to use a predefined template to create a fake Chrome popup that bluffs its world and has a personalized address URL but which, at At first sight, seems completely legitimate to us.

… or almost !

The researcher has published a toolkit on the GitHub platform that allows everyone to quite easily set up a BitB-type attack from the Mountain View company’s browser, Google Chrome. And it works on most of the major social networks or the most well-known SaaS apps.

If the attack is therefore not unprecedented in form, you will have understood it, it is above all the substance that is surprising, since the attacker is now likely to deceive the user, even in the URL, with a technique that uses various HTML tricks and style sheets (CSS) that help to very convincingly mimic the window that is supposed to open, asking you to log in to a social network or platform. It is not a question here of giving bad ideas or relaying them, because the technique has already been spotted before, in 2020 in particular when hackers tried to steal identifiers to access the Steam video game platform.

And if you think it’s hopeless, don’t leave too quickly, because this method, although – very – convincing, still suffers from some small flaws. If the real OAuth windows can for example be resized or moved on your screen, since they are considered as a separate instance of the browser and its main page, this is not the case for BitB windows, which cannot be resized, since are images in HTML and CSS. The other solution remains to use a password manager, which will not fill in the identifiers on BitB forms, because these are dummy. He won’t recognize them. Finally, to avoid any danger, prefer, as soon as you can, multi-factor authentication.

Sources: mrd0x
, Ars Technica